Mise en œuvre de la sécurité par l'informatique interne de Microsoft (MSIT)
 

Mise en œuvre de la sécurité par l'informatique interne de Microsoft (MSIT)

on

  • 352 vues

 

Statistics

Vues

Total Views
352
Views on SlideShare
352
Embed Views
0

Actions

Likes
0
Downloads
7
Comments
0

0 Ajouts 0

No embeds

Accessibilité

Catégories

Détails de l'import

Uploaded via as Adobe PDF

Droits d'utilisation

© Tous droits réservés

Report content

Signalé comme inapproprié Signaler comme inapproprié
Signaler comme inapproprié

Indiquez la raison pour laquelle vous avez signalé cette présentation comme n'étant pas appropriée.

Annuler
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Votre message apparaîtra ici
    Processing...
Poster un commentaire
Modifier votre commentaire

Mise en œuvre de la sécurité par l'informatique interne de Microsoft (MSIT) Mise en œuvre de la sécurité par l'informatique interne de Microsoft (MSIT) Presentation Transcript

  • We are like other large companies IT departmentsCommon infrastructure for business units
  • • Security, Cost Reduction, Complianceand Privacy are our Top Priorities• Reactive and Lacks Agility• Ubiquitous Environments• The Challenge of Consumerization ofIT• The Cloud Imperative• BI & Analytics Rule the Day• Vendor Consolidation• IT Simplification and Optimization• IT Talent Retention and Attraction• IT Business Alignment, Prioritizationand Partnership• Innovation that Drives Productivity• Being Microsoft’s First and BestCustomer• Perpetual Software Deployments• CIO-Led Revenue Growth & CustomerEngagement• Running an Enterprise on BetaRelease Software• A Company of 95,000 CIO’s• Biggest Target for Security Attacks• Moving from a Code Centric to a DataCentric Organization• Moving from Functional Based Org toa Process Centric Org Model• Self Service Model
  • • Cloud• Consumerization of IT• Data Explosion• Social Media• Regulatory Compliance• Security Threat GrowthIT of the Future : Evolution of MS IT6FY05Business Unit ITFY07Centralized ITFY10Standardized ITFY12+Process-Centric IT“Virtually everything inbusiness today is anundifferentiatedcommodity, except how acompany manages itsinformation. How youmanage informationdetermines whether youwin or lose.”– Bill GatesinvestmentIndustry Trends
  • Cost Reduction & Operational EfficiencyRisk Management & ComplianceCompetitive DifferentiationBusiness Growth & Sales PerformanceBusiness Process Simplification Big Data Business Intelligence & Analytics Security Risk Management Mobility & Consumerization of IT Social Media and Computing Cloud Computing Virtualization ERP & CRM Business Process Management & Alignment
  • Business scorecardOverall user satisfaction (NSAT) Metricsustained at 135 but missed target mainly due tolimited Direct Access deployment with Win 8releaseIdentified programs/projects follow key ITLCcontrols: Q2 measure = 99%; recovering trendfrom get to green programFirst and Best plan of record (+28% from FY13Q1) - FY13 Q2 Dynamics CRM Next CRM onlinenot released to MSIT; data sync issues fromMicrosoft AD and MS online services;% Shared goals met (3 red programs, Azure,Dynamics CRM Next, Office 365 SharePoint online;one yellow, Internet Explorer 10)Security Health Index BitLocker complianceFY13 H1 missesScorecardTop programsSharePoint solution and collaboration platformQ1 Q2 H1Baseline H1 Target Stretch OwnerValue Value ValueCIO scorecardStrengthen partnershipsBusiness value realization (BVR) 37% 55% 55% -- 25% 25% Jim DuBoisOverall user experience (NSAT) -- -- 135 135 133 139 144 Walter Puschner% of LOB QBRs utilizing key artifacts: (COS, ProForma, SoaP) -- -- 90% 90% 84% 85% 90% Shahla AlyMS first and best (partnership health) -- -- -- -- Annual -- 74% 75% 77% Jim DuBoisBusiness partner satisfaction -- -- -- -- Annual -- 151 154 158 Walter PuschnerEnable revenueMS first and best (plan of record) 64% 92% 92% 100% 100% 100% Jim DuBoisAggregate revenue value addressed by MSIT engagements $401.9M $1,389M $1,389M N/A $1,290M $1,419M Walter PuschnerDeliver qualityRisk management (# of past due items) 0 0 0 0 0 0 Bret ArsenaultIdentified programs/projects follow key ITLC controls 87% 99% 93% 89% 95% 97% Kurt SamuelsonDigitize processApplication reduction 1,080 1,065 1,065 1,093 1,073 1,065 Jacky WrightBusiness processes base-lined 100% 100% 100% 95% 95% 100% Jacky WrightData models defined and implemented 100% 100% 100% N/A 95% 100% Jacky WrightEnd-to-end user scenarios defined 100% 100% 100% N/A 95% 100% Kurt SamuelsonLead with innovation% Shared goals met 87% 87% 87% 90% 90% 92% Jim DuBoisOptimize ITProgram delivery on-time (BL-SL) 88% 94% 91% 89% 90% 92% Kurt SamuelsonFiscal responsibility (QTD variance to budget) 1.0% 0.9% 0.9% -2.5% 3% 0% Matt KellerhalsProgram delivery (on budget) -- -- 47% 47% 44% 40% 42% Matt KellerhalsHard benefits and cost avoidance $14.8M $27.8M $27.8M $57M $20M $26M Jacky WrightApplication availability 99.97% 99.97% 99.97% 99.93% 99.90% 99.95% Jacky WrightStay current - OS 94% 95% 95% 92% 80% 85% Walter PuschnerSecurity health index 96% 92% 94% 97% 95% 100% Bret ArsenaultWindows Server 2012 adoption 1% 3% 3% N/A 15% 17% Walter PuschnerInvest in our peopleIT WHI -- -- -- -- Annual -- 74% 76% 77% John WilliamsTop programs for FY13 Overall Scope Schedule Budget AdoptionBI business self serviceDAX phase 1Enterprise job automationEnterprise security platformEnterprise service busIncentive compensation – ENTICE next gen platformLaminarLotus – phase 1MS CloudMS SalesMSCOM analytics and reportingOA 3.0 – Windows client – quarterly releaseOne plan – Channel IncentivesProject TigerSharePoint solution and collaboration platformUpdated EA6
  • 107Countries586 Buildings
  • 94kMobiles Sync2,4001,30017,000Wirelessaccess points
  • Low bandwidth InternetConnected Office (ICO2)Corp Net Connected viatunnelProducts file share onlyMix of Wired and WirelessNative ConnectionWhen Mobile – DA andVPNGood bandwidthInternet or ICO1Products file share onlyMix of Wired and WirelessNative ConnectionAlways Mobile - DA andVPNMetered Networks -possible poor bandwidthInternet or ICO1Products file share onlyMix of Wired and WirelessNative ConnectionAlways Mobile - VPN tocontrol network usageGood bandwidthCorp Net ConnectedWDS, OSD, and Productsfile shareMix of Wired (WDS &OSD) and Wireless(Products file share)Native ConnectionWhen Mobile - DApreferred solution
  • 56% a monthMisplace a Device1 in 30 minsiPhone is lost
  • SecurityofDigitalAssetsTimeAnywhere Access
  • • Full Network access,requires StrongAuthNIdentityDeviceLocationData /Application0 – 100%• Live ID vs. Active Directory• Strong Auth vs. Username/Password0 – 100%• Approved / Authenticated• Managed, Self-Managed,unmanaged0 – 100%• IPv4 vs. US• Internal vs. External• Country LocationLBI/MBI/HBI• LBI, MBI, HBI Data• Applications (Corporate,Consumer, Signed)FactorsAssuranceLevel Examples Variable User Experience (VUE)• Full access , but nolocal data, StrongAuth required• Linked Network,Web Apps, simpleAuthN• No Access, GuestInternetComputedAccess
  • Secure the NetworkPerimeterSecure the NetworkInteriorSecure Key AssetsMonitor and AuditHBIMBILBI
  • IPSec BoundaryDomain joined systems(Secure Net)Remote accessclients/dial-upNon-CorpdomainmachinesLabs~70.000All Devices~800,000DomainJoinedDevices~320,000Devices managedthrough Config Mgr:~330,000Datacenter : ~31,500SeparateConfig MgrHierarchiesCooperative computer management modelMSIT & users working together10 languages support for patchingCompletely CentralizedAdministrationIPSecMicrosoft IT EnvironmentManaging Everything that Should be Managed
  • StrongPasswordRequirementsPasswords expire every 70 daysAdministrator-level passwords are 15 alphanumericcharacters in lengthUser passwords are at least eight alphanumericcharacters in lengthPasswords contain uppercase and lowercasecharacters, digits, and punctuationPasswords do not contain slang, dialect, or jargon inany language, or are not based on personalinformation such as family namesNew passwords vary significantly from priorpasswords
  • DA / VPNEASOWA
  • Smart Cards forRAS
  • CARDMANAGEMENTCard IssuanceCert approvalsDistribution & SupportPolicy & ExceptionManagementDELEGATESSubmits Certificaterequests on user’sbehalfDistributionUSERSPIN resetsCertificate renewal
  • ••
  • • Seamlessconnectivityexperience across aplethora of devices• TPM chip• Smart card with avalid certificate and asmart card reader
  •  Transistion Services ISATAP, NAP-PT, Teredo, 6to4 2 Factor Authentication (2FA) IPSec encryption & authentication GPO for Client configuration Network Access Protection (IPSec-WSHA) for Security. Split-Tunnel Configuration (less traffic on proxy servers) Remediation ServersAuthentication on- Identity- Group and role- Across perimeter, internalnetwork, hostGovernance and riskmanagement- Central policy defines‘healthy’- Compliance reported,tracked- Compliance used forauthorization
  • On PremisesOn CloudExtranetCorpNetWeb RoleWorkerRoleAzureStorageApp FabricTransportConnectivity(Ex. Azure Connect,Custom Plug-In/extension)DataConnectivity(Ex. Azure DataSync, CustomPlug-In/Extension)ClientSQLServerWebServicesCorp STSADFSSQL AzureWeb RoleApp MonitoringKeynote (monitoring)System MonitoringAccesses ControlServiceCacheService BusEmployeesPartnersCustomersAzureCDNIdentityProvidersExternalPartnersWindowsLive IDOrg ID
  • 20%30%% Vulnerable Clients48hrs 5 Days – SMS Forced patching begins for normal cycle 24 Days2%HighClient ImpactLowClient ImpactCurrent days to exploit = 3 days24 days average to 98% secured24hrs5%7 Days – Port shutdowns begin3%Microsoft Update; E-mail & ITWeb Notification (Optional)SCCM Updates Management (Voluntary > Forced)SER Scanning & Scripted UpdatingPort Shutdowns
  • Users can install and run non-standardapplicationsEven standard users can install some typesof softwareUnauthorized applications may:Introduce malwareIncrease helpdesk callsReduce user productivityUndermine compliance effortsBlock unauthorized P2P applicationsEasily create and manage flexible rulesusing Group PolicyBuilt-in feature of Windows 7 andWindows Server 2008 R2Improved system managementImproved legal complianceReduced support costsMicrosoft IT awareness campaignOpen Methodology based on MS Culture.1.5 % Exception requestBuild an isolated reference machine whendeploying AppLockerUsing Audit-only mode to test enforcementsettingsExported the GPO from reference machine
  •  Protection of intellectualproperty Greater sharing of sensitiveinformation Simple tools for users using any RMS-enabledapplication Verification of usagepolicies is transparent tousers Powerful documentprotection features Persistent file-levelprotection extends andenhances security efforts Ease of implementation for IT
  • http://NowYouKnow - What you will find31
  • Domain Joined Non Domain JoinedMSIT Standards PC with TPM PC w/o TPM PC MS Phone Non-PC DeviceMSIT StandardsEnterprise ClassPCs with TPMConsumer PCs MSIT Standards Windows Mobile Windows 8 RTSony, ASUS…AcerEnterprise Classand ConsumerPCsAndroid andFuture ChromeOS devicesApple Mac withBootcampApple Mac withBootcampApple Mac withMac OS XiPhone & iPadMSIT ServicesHelpdesk Hardware Support Yes Best Effort Best Effort Maybe No NoHelpdesk Software Support Yes Yes Yes Yes YesLOB Applications Yes Yes Yes Yes Yes NoPatching Yes Yes Yes No No NoDriver support in MSITImagesYes No No Maybe No NoBit-Locker+ TPM Yes Manually No * No No No *UEFI BIOS Pending Pending Pending Pending No NoDirect Access Yes Probably No No No NoVPN with Smartcard Yes Yes Yes Yes No NoWIFI Yes Yes Yes Yes Yes No-AndroidExchange Yes Yes Yes Yes Yes LimitedCorporate Access Yes Yes Yes Limited Limited LimitedLync / UC Yes Yes Yes Yes Yes No* Concerns with PII / HBI data loss